Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

Pri, PSD, Pri.A

Summary

W97M/Pri is a polymorphic Word 97 macro virus.

It activates when an infected document is opened. At this point it will check whether the global template is already infected or not. If it is not, the virus copies itself and modifies itself during this process.

When the virus has infected the global tempate, it infects all documents when they are closed. Also, the "Tools/Macros/Visual Basic Editor" menu is hooked which renders it in unusable state.

When the virus infects documents or the global template, it checks if the hour of the current time and minutes are the same. If the check passes, the payload will be create ten random shapes of random colors to the current document.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Pri.B

This variant is very similar to W97M/Pri.A with only a few differences.

This variant adds a code to the hooked "Tools/Macros/Visual Basic Editor" menu that causes the Word to quit immediately without saving any changes.

The other difference is that the payload will create a random number of shapes instead of ten when activated.

Variant:Pri.Q (Prilissa, Melissa.W, Melissa.AG, W97M.Antisocial.G)

This variant contains a mass mailing part stolen from W97M/Melissa and a destructive payload.

Futher information about W97M/Melissa is available at: https://www.F-Secure.com/v-descs/melissa.shtml

The payload activates on 25th December. At that time the virus overwrites first "C:\Autoexec.bat" with a code that will format the "C:" drive immediately after the system has been restarted. However, this payload does not work in Windows NT. "Autoexec.bat" contains the following text, also:

Vine...Vide...Vice...Moslem Power Never End...

 Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!!

When the virus has overwritten "C:\Autoexec.bat" it shows a message box with the following text:

Vine...Vide...Vice...Moslem Power Never End...

 You Dare Rise Against Me...The Human Era is Over, The CyberNET

 Era Has Come !!!

After that the virus adds a random number of shapes to the active document. These shapes are filled with a random color.

The virus mass mails itself to the first 50 recipients listed in each address book. The message that it sends looks like this:

Subject:

Message From (User Name)

 Body: This document is very Important

 and you've GOT to read this !!!

Where "(User Name)" is replaced with the name of the infected user. The message contains a copy of the infected active document, too.

Then the virus changes the registry to mark that the mass mailing has been done. The key

HKEY_CURRENT_USER\Software\Microsoft\Office\CyberNET

is set to value:

(C)1999 - Indonesia by AnomOke!

Once it has mass mailed itself, the virus replicates when a document is opened or closed.

The virus disables the built-in virus protection and hides the last recently opened files in the "File" menu. It also hooks both "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus.